6 metrics for evaluating telework risk, security capabilities and preparedness
After rapidly shifting to a mass telework environment, the federal government is evaluating security controls and risk management policies so agencies can continue remote work now and into the future.
“There is a new way of doing business,” Defense Department Principal Deputy CIO Essye Miller said at a May 6 conference. “We have to define what that looks like based on the mission.”
Defense agencies redefining their security for remote workers should evaluate current infrastructure and potential vulnerabilities so they can adjust controls and align technology, security and operations. They should also consult the security, telework and remote access (RA) best practices outlined in the National Institute of Standards and Technology’s Special Publication (NIST) 800-46 guidance for evaluating current infrastructure.
Agencies can also assess their risk, security capabilities and preparedness against the following six telework health metrics:
Evaluation metric #1: Scalability during continuity-of-operations scenarios
Initially, DOD organizations did not have the bandwidth or throughput to meet mass telework needs. Joint Regional Security Stacks were not built to support a near total shift to teleworking, which amplified ongoing concerns around performance, reliability, latency and cost.
Many defense agencies have increased remote capabilities and bandwidth. Now, however, they must ensure these capabilities are scalable, cloud-based solutions that can accommodate the expanding mobile workforce and “consolidate infrastructure, leverage commodity IT functions, and eliminate functional redundancies, while improving continuity of operations,” as outlined in the DoD Cloud Computing Security Requirements Guide.
Evaluation criteria: Organizations proactively moving to scalable cloud-native capabilities should receive higher scores than those responding to crisis by modifying current architecture to grow capacity.
Evaluation metric #2: Infrastructure exposure to external attack
Traditional RA models allow for more appliance-based capabilities through ports, protocols and IP spaces. However, the more openings there are, the larger the attack surface.
Instead, agencies should embrace a solution that only requires one outbound port (a 443 connection) open to a specific subset of IP addresses (a security cloud provider). Agencies and cloud service providers should look to the Defense Information Systems Network Cloud Connection Process Guide to navigate DOD assessments and connection processes.
Evaluation criteria: Agencies that have a single secure outbound port to a subset of IP addresses score more points that those using inbound ports, a greater number of outbound ports and a broad range of IP addresses.
Evaluation metric #3: User capability management through modern and unified authentication, authorization and accounting
As IT administrators update user policies to accommodate a remote user base, they should consolidate the tools that manage authentication, authorization and accounting (AAA). If agencies use complex tools with multiple interfaces, methodologies and terminologies, there is increased risk of undetected threats.
Instead, a modern access approach, such as zero-trust, will wrap policies around the users so that administrators can ensure full visibility and control through a central control plane while providing a seamless user experience.
Evaluation criteria: Higher scores go to agencies using a central control plane to manage, administer and log user abilities in one place, and lower scores to those with a more complex set of tools to manage and analyze AAA.
Evaluation metric #4: Level of access granted to remote users
Federal employees working remotely need access to the right agency resources and applications, but access to unnecessary resources should be limited. Therefore, agencies’ RA capabilities should both isolate application access and verify users before granting access. Zero trust provides the necessary level of authentication needed, which reduces the security attack surface.
Evaluation criteria: Higher scores for verifying and granting access to remote users without ever placing them on the network. Lower scores for agencies using legacy RA technology to place the user directly on the network, as if they are connecting locally.
Evaluation metric #5: Effort level required to maintain remote access infrastructure
Defense agencies following the DoD Secure Cloud Computing Architecture Functional Requirements will “proactively and reactively provide a layer of overall protection against attacks upon the DISN infrastructure.”
Agencies that maintain appliance-based RA solutions must constantly update firmware, software, security and policies as technology changes and adversaries advance. Furthermore, in a time of emergency, their assurance of availability creates a demand for infrastructure to be built at N+1 for high availability with possible scalability of locations. This further expands the problem of sustaining an appliance-based RA solution.
If agencies shift to a software-as-a-service cloud model, they will reduce maintenance upkeep and improve scalability, giving them a much more proactive approach with less maintenance overhaul and providing the same level of security in the cloud that is typical for physical data centers.